WPLake > Learning Hub > Securing Your WordPress: 5 Essentials to Protect Your Site
  • Deutsch
  • Español
  • Français
  • Italiano

Securing Your WordPress: 5 Essentials to Protect Your Site

Protect your website, by changing login URL, disabling unauthorized REST API, directory browsing, .git folder access, and xmlrpc.php.

Key Points at a Glance

  1. Theme and Plugin Verification: Verify themes and plugins before installation to prevent security risks; prefer downloading from the official WordPress repository or trusted sources.
  2. Changing Login URL and Captcha: Secure WordPress from brute force attacks by changing the login URL and adding a captcha to the login page using plugins like WPS Hide Login and hCaptcha.
  3. Disabling REST API for Unauthorized Users: Prevent unauthorized access to usernames by disabling REST API for unauthorized users while ensuring the functionality for authorized editors and admins.
  4. Disabling Directory Browsing: Disable directory browsing to prevent hackers from accessing file structures and finding vulnerabilities in plugins and themes.
  5. Denying Access to .git Folder: Protect the source code of your website by denying access to the .git folder, commonly used by developers, through server configuration.
  6. Denying Access to xmlrpc.php File: Secure WordPress from password brute force attacks by denying access to the xmlrpc.php file, which provides an entry point for attackers.

Table of Contents

Some people feel lazy when hear talking about security and don't follow very basic instructions. Of course, as long their website won't be hacked. Others become crazy and lock everything that is possible, making the user experience worse. Let's fit the gold middle and secure WordPress from the most often threats, but without becoming paranoid. Following these tips will save you from using heavy and expensive security plugins.

Basic for beginners

Here I must say a couple of words about very basic things that are related to security. The next information is only for beginners, feel free to skip it if you feel self-confidence in basic security questions.

So, you must know that most hacks happen not due to vulnerability in code, but due to rough mistakes in using the software. Read what must a good WordPress developer know to understand what should be learnt by you to use WordPress properly.


1. Don't use weak passwords

Any password must contain 16+ random characters, including special characters. Hackers have lists of commonly used phrases and use them in brute-force attacks. They can easily get access to your admin panel, in case your password isn't a random string. Never, ever use names or words in your password.

2. Don't share passwords with third-party faces

Even with developers. If you need to get some work done by them, create for them a separate account. And always change the password for that account after they've done tasks.

3. Keep passwords in a safe place

Writing on paper is a bad idea. Storing in online services also may be a bad idea. The best case is using an offline app. There are plenty of programs that allow storing passwords securely. For example, our agency for keeping all credentials, including clients, uses KeePassXC.

4. Don't share passwords via insecure channels

Do it via secure channels or change the password in a short time after sharing. Even if you need to share a password with your client, ask them for changing the password after receiving it. Slack or messenger channels aren't fit for this goal.

A secure channel doesn't mean offline. It can be various services, that provide a one-time link, or even a mail vendor, like Proton, that provides password-protected emails.

Unverified themes and plugins

It's the most common mistake of beginners. They see how many options there are to customize a website and begin to install all plugins and try all themes that can be found. Usually, prefer free or nulled (hacked). Most of these plugins WILL contain viruses or vulnerabilities, it's a price of accessibility.

If we talk about free plugins, you can secure your WordPress by downloading plugins ONLY from the official WordPress repository. Or from the built-in Plugins item in your WordPress admin menu, which is the same. Also, check the number of active installations, which must be bigger than 100. And pay attention to the last updated date, that must be less than a year ago.

If we talk about paid Pro plugins, make sure that you're purchasing on an official website, and that there are independent reviews that confirm the quality of the plugin. For sure, not from words on their website, but from other resources.

Verifying things before installation is a very important skill. A bad theme or plugin not only makes your website insecure but also slows it down.

5 Pro Tips to secure WordPress

1. Change your login url and add a captcha

The brute force of login credentials is the most often practice of hackers. They send hundreds of requests to your website via the login page. Even if you have a strong password it still creates extra loading to your website. Plus, if you're a developer, you can't guarantee that the owner or his editors won't use weak passwords. This step will be an extra layer that will protect admin accounts.

To secure WordPress from brute force, we use the WPS Hide Login plugin to change the login url. It can be done easily, and furthermore, it won't change the admin url for authorized users. So it only locks wp-admin and wp-login.php from unauthorized users, editors and admins must visit a new url to login, and then can use ordinary wp-admin to access the admin panel.

You can use the hCaptcha or Simple Google Captcha plugin to add a captcha to the login page. Both work well with the plugin above and add a captcha via code hooks. Which means they will work with any custom login URL. We recommend using the hCaptcha plugin, as the service respects user privacy, unlike Google Captcha.

Both plugins add the captcha code but do not sign up a service account for you. You must sign up and get credentials from hCaptcha.com or Google ReCaptcha, depending on the chosen plugin.

2. Disable REST API for unauthorized users

REST API allows getting a list of usernames without trouble. Hackers still will need to get a password, but hey, let's make their life even worse. Plus, even the names (usernames) of editors of your website can be a part of private information, what is the goal to share it with the whole world? REST API is used in WordPress for example by Gutenberg editor (and different plugins), so completely disabling will break the work of a WordPress website.

The golden middle is disabling REST API for unauthorized users. It won't create any issues for authorized editors and admins but will secure WordPress against leaking usernames to third-party faces.

We use the Disable REST API plugin for this goal, and by default, it's configured to disable only unauthorized users, so you can just enable the plugin and don't make any extra steps.

3. Disable directory browsing

Directory browsing is an insecure feature, that allows seeing a list of files in a request folder via browser, in case the 'index.php' file is missing. To find vulnerabilities in your plugins and themes hackers must know their file structure.

WordPress has the index.php stub for all the basic folders, like /wp-content/, /wp-content/plugins/, and /wp-content/themes/, but can't guarantee that every plugin or theme developer does the same. For this goal, you need to make sure that your web server doesn't allow directory browsing.

Try to visit YOUR_DOMAIN/wp-includes/ in your browser. If you see the 'Not Found' message, it means your server already doesn't allow it, you can skip this item. In case you see a list of files, you must do extra actions to disable directory browsing.

To do this, we need to modify the .htaccess file. I don't recommend editing this file via FTP, like many others. Due to the fact that this file is regularly recreated by many plugins. E.g. all cache plugins or similar. This means your change most likely will be lost after some time. We can add our modification on a permanent basis with the following code snippet, which you can add to your functions.php:

add_filter('mod_rewrite_rules', function ($rules) {
    return $rules . "\n" .
        "#Disable directory browsing\n" .
        "Options -Indexes\n";

Then visit the Settings-Permalinks page in your admin panel, it'll force WordPress to recreate the .htaccess file immediately. After, you can visit YOUR_DOMAIN/wp-includes/ again to make sure that now it displays the 404 message (which is good).

4. Deny access to the git folder

Skip this step in case you use plain hosting or you uploaded the website manually, without GIT.

Many developers use GIT, which is a wonderful tool. Using GIT on production is also a good idea, but you must disable access to the .git folder via a browser in this case. Otherwise using the .git/HEAD file they'll be able to recreate all a tree of commits and get the source code of your website.

For this goal, you need to lock all /.git/* requests. You can contact your system administrator or hosting provider. In case you've enough skills and your server uses NGINX then you can reach it by adding the following code (add to the NGINX config file of your website)

# deny access to all special files and folders, like .git, .htaccess
location ~ /\. {
  deny all;

Don't forget to restart NGINX after it.

5. Deny access to the xmlrpc.php file

XML-RPC is an old feature of WordPress. Most of websites don't use it, and it exists just for compatibility with old software. This feature allows interaction with your website directly, without opening in a browser. The bad thing is that hackers can brute force passwords using this feature because even if you've changed the login url and added a captcha from the steps above, this feature still gives an option for them to check passwords.

To deny access to the file you can contact your system administrator or hosting provider. If you've enough skills, below we provide snippets that will do it:


If your server uses NGINX then you can reach it by adding the following code (add to the NGINX config file of your website):

# wordpress xmlrpc
location /xmlrpc.php {
  deny all;

Don't forget to restart NGINX after it.


If your server has the DirectAdmin control panel, you can connect to your server by SSH and achieve the goal by executing the following commands;

// 1. create the custom folder in the directadmin config
cd /usr/local/directadmin/data/templates
mkdir custom/; cd custom

// 2. create the necessary files in the folder and setup rights
touch nginx_server.conf.CUSTOM.4.post nginx_server_secure.conf.CUSTOM.4.post 
touch nginx_server_secure_sub.conf.CUSTOM.4.post nginx_server_sub.conf.CUSTOM.4.post
chmod 644 nginx_server.conf.CUSTOM.4.post nginx_server_secure.conf.CUSTOM.4.post
chmod 644 nginx_server_secure_sub.conf.CUSTOM.4.post nginx_server_sub.conf.CUSTOM.4.post

// 3. enter the edit mode for the new (created) config
nano nginx_server.conf.CUSTOM.4.post

// and and the content below to the file
// this is the rule that will lock the xmlrcp file
location =/xmlrpc.php 
    deny all;

// 4. copy the main config to the others
cp -p nginx_server.conf.CUSTOM.4.post nginx_server_secure.conf.CUSTOM.4.post
cp -p nginx_server_secure.conf.CUSTOM.4.post nginx_server_secure_sub.conf.CUSTOM.4.post
cp -p nginx_server_secure_sub.conf.CUSTOM.4.post nginx_server_sub.conf.CUSTOM.4.post

// 5. make the build
cd /usr/local/directadmin/custombuild/
./build rewrite_confs


We've reviewed the 5 most important steps to secure WordPress from hacking. In fact, steps 3-5 can be done by a system administrator (or hosting provider) only once and will work for all websites on your account. Since you've done them, you can be sure that you have a very good level of protection, and you can don't purchase security plugins, which are often heavy and slow down a website.

Was this article helpful?

Totally useless

Slightly helpful

Very helpful

FAQ mode


Learning mode

  1. How can I securely share passwords with third-party developers?

    Create separate accounts for developers and change the password after tasks are completed to maintain security.

  2. Why is it essential to verify themes and plugins before installation?

    Verifying themes and plugins ensures they are from trusted sources, reducing the risk of security vulnerabilities and breaches.

  3. What steps can I take to prevent brute-force attacks on my WordPress login page?

    Changing the login URL and adding a captcha to the login page using plugins like WPS Hide Login and hCaptcha can deter brute-force attacks.

  4. How can I protect sensitive information, such as usernames, from being accessed by unauthorized users?

    Disabling REST API for unauthorized users prevents access to usernames while maintaining functionality for authorized users.

  5. Why is it important to disable directory browsing on my WordPress site?

    Disabling directory browsing prevents hackers from accessing file structures and finding vulnerabilities in plugins and themes.

  6. What measures can I take to protect the source code of my website when using GIT on production?

    Denying access to the .git folder through server configuration ensures the security of the source code.

  7. How can I further enhance WordPress security by denying access to specific files?

    Denying access to files like xmlrpc.php prevents potential entry points for attackers, strengthening overall website security.

Course navigation: WordPress Proficiency

Content links (13)

About the Author

Maxim Akimov

Certified WordPress expert from Ukraine with over 8 years of experience. Advocate of the BEM methodology and the overall modular approach. Loves sporting activities and enjoys going to the gym and regularly plays table tennis.


Thank you very much for your information; it is just what I was looking for. May I ask what software you use for your fantastic and quick website? I too intend to build a straightforward website for my company, however I require advice on a name and hosting. Asphostportal is said to have an excellent reputation for it. Are there any other options available, or can you recommend them?
Hi Anna.

We're glad to hear that the information is useful for you.

Our website is built on WordPress. We created a unique design and implemented it using a custom modular theme, which doesn't rely on global assets like some other themes.

You can find our hosting recommendations in this article.

Asphostportal is a Windows hosting provider, which is a less common option. We would recommend considering some Linux-based hosting options instead.

    Leave a comment

    Reply to 

    Please be considerate when leaving a comment.

    Not shown publicly

    Got it